Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Joomla Update Fixes Two Critical Issues, 2FA Error

Joomla fixed two critical issues in the content management system and is strongly encouraging users to update their sites immediately.

Web developers who run the content management system Joomla! are strongly encouraged to update their sites immediately.

The company on Tuesday pushed out the most recent version of the CMS, 3.6.4, fixing two critical issues that can lead to account creation and elevated privileges, according to a release update published by the Joomla! Project.

Joomla! 3.6.4 is available. It's a security release and we strongly recommend that you update your sites immediately https://t.co/YKr6MamPAx

Both issues, which the company branded as high severity, were discovered earlier this month and affect versions 3.4.4 through 3.6.3.

Because of inadequate checks, the account creation bug could allow a user to register as a new user when their registration has been disabled. The elevated privileges bug also tangentially deals with registration. Because of what Joomla! refers to as “incorrectly used unfiltered data,” a new user could register on the site and be granted elevated privileges.

The update also remedies a two-factor authentication error that started popping up in the CMS last week. On Oct. 18, following the release of the previous version, 3.6.3, a handful of users who use 2FA reported on Joomla’s Github page being locked out of their websites. Users claim they were met with “Must match character set” error notifications and forced to remove 2FA via their site databases in order to gain access.

The problem stemmed from the fact that Joomla recently upgraded to a new version of FOF, or Framework on Framework, a third party rapid application development framework for the CMS. The CMS was using FOFEncryptAesMcrypt but moved to FOFEncryptAesOpenssl with the update, making the Mcrypt keys of users invalid.

In a pull request on Github, Robert Deutz, part of Joomla’s Production Leadership Team, said Joomla fixed the issue and now converts data to OpenSSL if it’s crypted with Mcrypt.

According to researchers with Sucuri, who looked into the issues on Wednesday, exploits for the vulnerabilities have been spotted in the wild.

Marc-Alexandre Montpas, a security researcher at the firm, looked at the code and crafted an exploit to test the company’s firewall. Montpas determined that an attacker could use the arbitrary account creation bug to override properties, like any groups a user may belong to; manager, author, admin, and so on. From there, it’s a short path to code execution.

“As administrators can install extension packages on their site, an attacker could use his freshly hacked administrator account to upload a remote shell on the site and further compromise the server,” Montpas warned.

This story was updated on Thursday, October 27 with statements and information from Sucuri.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.